Another eBay scam: Too good to be true.

Image (1) rr-listing.png for post 21876

Earlier this week SophosLabs was alerted to another potential eBay scam (see article on The Register). A high performance vehicle, included as a featured listing, and at a ridiculously low price had attracted suspicion.

rr-listing.png

Clicking on the item resulted in a rapid redirect to a remote (non-eBay) site. Looking through the eBay-hosted page identified the cause – an embedded Shockwave file (now detected as Troj/ReDir-A).

rr-embed.png

The Shockwave file (created with SWF Quicker), performs the redirect with a standard getURL(") directive.

rr-action.png

The result is that the details page for the listing is loaded from a remote, Russian site.

rr-ru-listing.png

As you can see, the page is crafted to look just like the official page, except that the embedded forms point to a mailto address, not back to eBay. Phishing for eBay credentials does not appear to the purpose of this scam – clicking on the ‘sign in’ link takes you back to the offical eBay sign-in page. Clearly the scammers are happy to abuse legitimate eBay sellers, typically those with good reputations. The seller listed in this scam was a power seller, normally associated with jewellery items.

Clicking on the bid or ‘buy it now’ buttons creates an email to the seller in the default email client, which generates a warning popup from Internet Explorer.

rr-popup.png

Looking through the root of the Russian site, it would appear this is not the first scam.

rr-root.png

Just another demonstration of the dangers embedded Flash content can present (see previous blog about poisoned adverts). This is due to its support for ActionScript, a scripting language based on ECMAScript (i.e. akin to Javascript). Stricter input validation by eBay would have prevented users being able to embed Flash content in description pages.